Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Craig100 1136 posts 2523 karma points c-trib
    Jan 17, 2020 @ 22:32
    Craig100
    0

    Failing authorisation when calling an UmbracoAuthorizedApiController

    Ref: https://our.umbraco.com/forum/extending-umbraco-and-using-the-api/92375-best-way-to-authenticate-umbraco-api-request-as-back-office-user

    I'm having a similar issue with a new API I'm writing for a 7.15.3 site. As I understand it, inheriting from UmbracoAuthorizedApiController means you don't need to decorate the methods with [UmbracoAuthorize].

    My problem is that I don't appear to be able to get authorisation with my request. All I get in return is {"Message":"Authorization has been denied for this request."} In Postman I'm adding an Authorization header of Type "Basic Auth" with a correct username and password for a backoffice user.

    If I change the API to inherit from UmbracoApiController and change the route from /umbraco/backoffice/api/ to /umbraco/api/ it returns the expected JSON, so it's just the authorisation I'm having a problem with.

    The API is called from other websites.

    Relevant code here:

    namespace MySite.Web.Controllers.ApiControllers.NewsAndEvents
    {
        public class NewsAndEventsApiController : UmbracoAuthorizedApiController
            {
    
            string siteAddress = HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority);
    
            [HttpPost]
            public ArticleListResponseModel GetArticleList (ArticleListRequestModel jsonRequest) {
    
                ArticleListResponseModel returnArticleList = new ArticleListResponseModel();
             .... More  code....
            }
        }
    }
    

    Am I missing a trick somewhere? Any advice would be appreciated.

    //Craig

  • Simon Dingley 1474 posts 3431 karma points c-trib
    Jan 20, 2020 @ 08:16
    Simon Dingley
    0

    I'm not 100% sure you can authenticate the requests like that. I think you have to be logged into the back office first in order to make requests to controllers decorated with UmbracoAuthorizedApiController as it passes the authentication cookie along with the request. I seem to remember there is a setting in Postman to include your local cookies in requests you make.

  • Michael Pedersen 3 posts 75 karma points
    Jan 26, 2021 @ 07:22
    Michael Pedersen
    1

    I know this doesn't pertain to the original question. But I just googled how to setup Postman to be able to connect to UmbracoAuthorizeAPIController endpoints and this came up as the first hit.

    Just wanted to share that if you copy the UMB_UCONTEXT cookie over to postman using the "Cookies" link in the top right hand side, then you can call backend endpoints. You can also sync your cookies as Simon mentions. This uses the "Interceptor" in postman and requires a Chrome extension to run. There is a very easy guide for that in the "Cookies" section in Postman

  • Craig100 1136 posts 2523 karma points c-trib
    Jan 20, 2020 @ 20:14
    Craig100
    0

    Thanks Simon, it appears I'm mis-architecting it then. What I'm looking for is to secure my UmbracoAPI endpoint so it can be used by only certain requestors. Ideally they'd be either Umbraco users or Members (I don't mind which) so the client can easily control them and assign new accounts as needed.

    I suppose the question is, does Umbraco have such a facility, is there a package, or is time to roll one's own authentication system?

    Cheers,

    // Craig

  • Simon Dingley 1474 posts 3431 karma points c-trib
    Jan 21, 2020 @ 08:51
    Simon Dingley
    0

    See here: https://our.umbraco.com/documentation/reference/routing/webapi/authorization

    I am working on a v7 project at the moment that similarly needs to secure API endpoints and we have gone down the route of JWT. Warren Buckley has a project that might help point you in the right direction.

    https://github.com/warrenbuckley/Umbraco-JWT-AuthTokens/

    Hope that helps.

    Simon

  • Craig100 1136 posts 2523 karma points c-trib
    Jan 21, 2020 @ 08:57
    Craig100
    0

    Thanks Simon, I'll take a look.

Please Sign in or register to post replies

Write your reply to:

Draft